The PCI Council is trying to clarify how Qualified Security Assessors (QSAs) should address cloud environments. The supplement provides an explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types. It also outlines the roles and responsibilities of cloud providers and customers, and includes segmentation and scoping considerations around individual PCI DSS requirements, as well as some of the challenges associated with validating PCI DSS compliance in a cloud environment.

However, the new guidelines – like most related to PCI compliance – leave many questions around the use of public clouds and real-world implementation.

Information as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) are the most prevalent deployment models for organizations that want to use the cloud. Each of these deployment methods come with their own challenges for assessing the environment, though. As an organization moves from an IaaS environment, where most of the control resides with the hosted entity, to a SaaS environment, where most of the control resides with the Cloud Service Provider, the importance of compliance tracking programs for service providers become more critical.

“Many merchants mistakenly believe that if they outsource everything to a cloud service provider, much of the responsibility goes away for being PCI compliant – unfortunately, that’s simply not the case,” noted Bob Russo, general manager at the PCI SSC, in a recent article. “A merchant needs to ensure that a cloud services provider is PCI-compliant not just for its own piece, but for the entire spectrum, including what that provider is specifically doing for the merchant.”

As part of the compliance program, organizations need to have a good understanding of the segmentation between the hosted entities. The goal is to segment each of the cloud-hosted entities as one would segment a physical network. The biggest challenges that are presented in the supplement are the validation of segmentation between hosted entities, vulnerability scanning, and scoping.

When dealing with an organization like Amazon or other large scale cloud service providers it can be difficult to get specific details regarding how hosted entities are segregated from each other. Cloud Service Providers typically want to keep that information private due to the proprietary nature of cloud architecture. Vulnerability scanning causes a similar problem in that the Cloud Service Provider will not want to have their logs filled with scans of systems that are not involved with the scope of a hosted entities’ compliance, as well as possibly exposing detailed information about how their Cloud is built.

Finally, scoping is an issue because if the Cloud Service Provider has not undergone an assessment of their compliance with PCI then all the hosted entities in the cloud come into scope because the Cloud network may be designed in a way that will allow other hosted entities within the cloud to see traffic destined for another hosted entity thereby exposing that data to potential compromise.

In summary, while the guidelines clarify some questions around cloud security and PCI compliance, there are still many instances in which merchants and providers may wish to consult with a PCI QSA and security expert.